Building windows

Join the Club – Hotels Under Siege

On December 23, 2015, Hyatt Hotels announced that it had become the latest member of what has become a large club – hotel companies that have been the target of malware attacks.  During the past year, virtually every major brand – Hilton, White Lodging, Mandarin Oriental, Starwood and Trump Collection, among others – have shared that distinction.

Welcome to the Club.  Being a member of this club is a problem for anyone, and for hotel brands in particular.  Earlier this month, Hotel Management, citing a recent study by Gemalto, a digital security firm, highlighted the consequences of a data breach:  “Nearly two-thirds of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and half of them had the same opinion when it came to data breaches where personal information was stolen.”  Moreover, the same study revealed that almost a quarter of respondents would consider legal action against the company that failed to protect their personal information.

Hotel guests have to have a high degree of trust; while retailers may obtain some financial and personal information about their customers, hotels are entrusted with the physical safety of guests and their property.  People engage in transactions with merchants; they enter into a relationship with a hotel, and if they distrust the brand that the hotel represents, they will think twice about patronizing that brand.

Why are Hotels Targets?  Hotels collect valuable financial and personal information, and there are many possible attack points.  The most recent disclosures have focused on point of sale systems, but other system vulnerabilities exist.  Moreover, the human factor – which is implicated in 95% of breach incidents – is a major concern for hotels, given the number of individuals involved in hotel transactions, from the front desk to hotel operators to food and beverage operations.

What should Brands, Operators and Owners do?  Because there is no question that hotels are a target of hackers, hotel operators and brands need to respond.  The response has to be more than an individual effort, however; the defense requires a coordinated effort by all those impacted, including consumers.  Among other things:

  • Brands and operators need to evaluate their current systems and ensure that they are secure, and if not, invest in designing and implementing secure systems, and keeping them secure.
  • Data security should be analyzed across platforms – the integration of different systems in hotels, some implemented by operators and some by owners, must be integrated.
  • Brands must consider how to implement new initiatives in light of their impact on security. For example, some brands have implemented or are considering allowing guests to use smartphones in place of keys.  The differing security standards for smartphones and applications, as well as the elimination of the front desk, need to be considered when adopting these programs.
  • Greater emphasis on training is essential – technical security can almost always be overcome by negligence or malfeasance, and only a “human firewall” can counteract human error.
  • Owners should not delegate cybersecurity to brands and operators; they should evaluate security standards and procedures as rigorously as they analyze property improvement plans and brand standards, and demand that their operators and brands implement effective systems and training. Owners ultimately bear the cost of a breach, and the cost of preventing one is far less that the cost of responding.
  • Guests can be part of the problem or part of the solution. Notice of a data breach should not be the first time they become aware of their part in cybersecurity.

A lot of firms joined the “I’ve been breached club” in 2015 – let’s hope that 2016 is when they join the prevention club.


Robert Braun is Co-Chair of the Cybersecurity and Privacy Group, and a senior member of the Global Hospitality Group, at Jeffer Mangels Butler & Mitchell LLP.  Based in Los Angeles, California, Bob assists firms in responding to data breaches, advance cybersecurity planning and technology transactions, as well negotiating agreements between hotel owners, operators and brands.